.N IIS - Nimda Worm 	#Policy Name
.L 2 	#Policy structure
.D This policy detects multiple versions of the Nimda worm.  The worm sends itself out by email, searches for open network shares, and attempts to copy itself to unpatched or already vulnerable Microsoft IIS web servers. 	#Policy Description
.V 1012339087 	#Policy revision number
.Z 168 	#Policy ID
.Z 168 	#Policy ID
.R Nimda Detected 	#Rule Definition
..D Reference:  Symantec Security Response W32.Nimda.A@mm Writeup 	#Rule Description
..Z 169 	#Rule ID
..K 	#Rule And Select logic
..V 90 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T */cmd.exe?/c+* 	#Regular text
....T */cmd.exe\?/c\+* 	#Regular text
....T */MSADC/root.exe?/c+* 	#Regular text
....C 1 	#Case sensitivity
....Z 207 	#ID of the clause
..S 	#Select Clause(s)
...G HTTP Request Types 	#System Message
....T *DELETE* 	#Regular text
....T *GET* 	#Regular text
....T *HEAD* 	#Regular text
....T *POST* 	#Regular text
....C 0 	#Case sensitivity
....Z 208 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 171 	#ID of the clause